Kurdish hacker hits scores of Irish websites

The National Treasury Management Agency website is shut down all day on Monday

Most of the hacked sites feature a posting of the Kurdish flag and the statement “long live Peshmerga”. Photograph: iStockphoto

Scores of Irish websites were targeted over the weekend by a Kurdish hacker expressing anti-Islamic State views, with the National Treasury Management Agency being forced to shut down its site for the entire day on Monday.

The Irish Times has established that sites including that of Minister of State for Tourism and Sport, Patrick O’Donovan, Irish Distillers, the National Centre for Pharmacoeconomics and singer Paul Brady, have been hacked by the perpetrator, known as MuhmadEmad.

Most of the hacked sites featured a posting of the Kurdish flag and the statement “long live Peshmerga”, a reference to the Kurdish army of Peshmerga, an anti-Islamic State, which is also known as Isis, force based in Iraq.

Other sites affected include one linked to Enterprise Ireland, the Irish site of outdoor advertising company JCDecaux, the Federation of Irish Sport, schools in Dublin and Donegal, and a regional modelling agency.

Defacement attack

Irish sites were not alone. The Kurdish hacker hit several European websites in recent days, with Brussels-based business technology website ZDnet, which was also affected, claiming the attacks were linked to a vulnerability in publishing software provider WordPress’s system.

Dublin-based IT security consultant Brian Honan said it appeared the Irish sites had all fallen victim to a defacement attack.

Mr Honan said the hacker would have scanned websites for a particular vulnerability, and targeted sites that were open to that.

“It’s like graffiti on the front window. It tends to arise in websites that are not patched regularly enough,” he said. “Software providers like WordPress regularly send out patches or updates to deal with vulnerabilities. WordPress had one in recent weeks. Sometimes, websites are targeted before they have had time to apply the patch.”

Representatives for WordPress hadn’t responded to questions from The Irish Times by the time of going to publication.

The NTMA said in a statement on Monday morning that its “standard IT protocols took effect as soon as the unauthorised access was detected” and that its decision to suspend its website, which is run off-site, had no impact on its systems or operations. The website was still down as on Monday night.

Hacker’s message

The Fine Gael page of Mr O’Donovan was among those affected. Michael O’Connor, a parliamentary assistant to the Minister, said the department received several phone calls from members of the public informing it of the hack.

He said the hacker’s message was up “for a few hours” but the Minister’s office had since changed the site’s login details. Mr O’Connor said the vulnerability “might have come through Wordpress”.

A spokesman for Irish Distillers, part of the Pernod Ricard group, said the company’s “site went dark for a brief period of time to allow for site testing and maintenance work” after the “unauthorised access attempt”.

“This is an ongoing global issue affecting thousands of websites,” he said. “We will continue to monitor over the coming days.”

Another Government-linked website affected was the Americas blog used by staff of Enterprise Ireland. Conor O’Donovan, head of communications for EI, said he had notified the agency’s IT department about the breach.

“We have taken it down to fix it. No confidential information was put at risk and our corporate site was unaffected,” he said.